[cvs] [Wiki] changed: SecurityMeasures

[Jan Schneider]

jan  Thu, 25 Sep 2008 13:52:43 -0400

Modified page: http://wiki.horde.org/SecurityMeasures
New Revision:  1.4
Change log:  Start a list of concrete security measures, feel free to  
add more.

@@ -1,7 +1,13 @@
  + Security Measures

  All Horde software is developed with strict coding standards and  
under continuous peer review. It's in development for 7 years and  
being reviewed for security issues by user, administrators, security  
experts and developers constantly.

-We have active measures against common web application flaws like  
session fixation and cross site scripting.
+We have active measures against common web application flaws like  
session fixation and cross site scripting. The following list of  
measures makes no claim to be complete:
+* A new session is created on login and logout to protect against  
session fixation.
+* An XSS filter sanitizes HTML content provided from external sources  
to remove any active content.
+* Form tokens protect important actions like logging out or deleting  
messages again CSRF attacks.
+* Session information is by default passed with cookies instead of  
URL parameters, and with secure cookies when using a https connection,  
to make session hijacking more difficult.
+* A dereferrer is used if the user does //not// use session cookies  
and opens an external link, to strip session parameters from the  
referrer header.
+* This dereferrer is protected against being abused as an open  
referrer by a hash signature.

  The only piece of code that needs regular updates to fix XSS holes  
is the HTML MIME viewer that is used to view HTML messages in IMP. The  
reason is that people still find new ways to trick browsers,  
especially Internet Explorer, to execute script code every other day.  
Thus this viewer is disabled by default. Our filter is still one of  
the best available though, so other projects are using it in their  
applications too.